This past weekend at the Devsigner Conference held in Portland, Oregon, Dylan Tack gave an excellent presentation entitled “Taking control of the Browser Security Model”:
Since the birth of the web, the browser security model has remained nearly static. Recent evolutions make it possible for site operators to fine-tune the security model, and enforce mandatory access controls. This session will focus on Content-Security-Policy, and other browser security features like Strict Transport Security and Public Key Pins.
47% of all web applications have a cross-site-scripting vulnerability, and this potential security flaw ranks in the top three classes of all vulnerabilities. [ White Hat Security, 2015 Website Security Statistics Report ]
A Content Security Policy is a systematic way to block these attacks, by whitelisting allowed sources of script, style, and other resources. The holy grail – blocking “unsafe-inline” code – offers the strongest defense, but can be a big surprise for front-end developers when inline scripts and styles stop working!
If you are developing for the web you need to take a look at his slide deck. If you have any questions, feel free to let let me know.
Because HTTP is an extensible protocol browsers have pioneered some useful headers to prevent or increase the difficulty of exploiting these vulnerabilities. Knowing what they are and when to apply them can help you increase the security of your system.